Privacy Policy

Last updated: 1 March, 2026

Thank you for using the Qlero platform and for taking the time to read this Privacy Policy.

1. Introduction

We believe that transparency is an essential part of building trust, especially in a platform that manages royalty and payment-related data. This Privacy Policy explains how we process personal data in connection with our services, including:

• the categories of personal data processed through the Platform
• the purposes and legal bases for such processing
• our respective roles as Data Controller and Data Processor
• how personal data may be shared
• how long personal data is retained
• the technical and organizational measures implemented to protect personal data
• your rights under applicable data protection legislation

‍

Our objective is to provide clear and transparent information about how personal data is handled within the Platform and to demonstrate our commitment to compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

This Privacy Policy shall be read in conjunction with the Terms of Use. Capitalized terms not expressly defined herein shall have the meanings assigned to them in the Terms of Use. Terms relating to data protection that are not defined in this Privacy Policy or the Terms of Use shall have the meanings assigned to them under applicable data protection laws, including the GDPR.

‍ 2. What is personal data and what does the processing of personal data mean?

2.1 Personal data means any information that relates to an identified or identifiable natural person. A person may be identifiable either directly (for example through a name) or indirectly, in particular by reference to an identifier or a combination of data points that can be linked to that person.

This means that even information which does not, on its own, identify an individual may constitute personal data when combined with other information available to us or to our customers.

• Within the context of the Platform, examples of personal data may include:
• Name of a User, Payee, artist, songwriter or other rights holder
• Personal identity number (where applicable)
• Email address and contact details
• Business registration details or VAT number where linked to a sole trader
• Bank account details (e.g., IBAN)
• Royalty statements and self-billing documentation containing identifiable information
• IP address, device information and usage logs linked to a User account
• User IDs or account identifiers connected to an individual

2.2 The processing of personal data includes every action connected to the use of the personal data, regardless of whether such an action is performed automatically or not. This means that the following actions, among others, are included:

• Collection
• Registration
• Use
• Alteration
• Storage
• Disclosure by transmission
• Deletion

‍ 3. For whom is this policy applicable?

This Privacy Policy shall primarily be applicable to individuals who are Users of our services and from whom we collect and process personal data (”Data Subjects”). Different parts of this Privacy Policy may also be relevant to you depending on your relationship with Qlero. This Privacy Policy applies to individuals who use the Platform on behalf of a customer (such as record labels, publishers, distributors or other rights holders), as well as to individuals whose personal data is processed through the Platform in connection with royalty management and payment workflows.

4. For what areas is this policy applicable?

This Privacy Policy regulates how we collect and process personal data in connection with the operation of the Qlero royalty management platform, including User account administration, royalty calculations, self-billing workflows, analytics, and security monitoring.

5. What does it mean to be a Data Controller/Processor?

A Data Controller is a legal person or other entity that determines the purpose and means for the processing of personal data. An organization acts as a Data Controller when it decides why personal data is processed and how the processing is carried out, for example in relation to its own employees, customers, Users, partners or other individuals.

A Data Processor is a legal person or other entity that processes personal data on behalf of a Data Controller. A corporation acts as a Data Processor when it processes personal data according to the documented instructions of the Data Controller and only for the purposes defined by that Controller, without independently deciding how or why the data is processed.

6. Qlero as a Data Controller/Processor

We, Qlero AB (company reg. no. 559496-7654) act as a Data Controller when processing personal data relating to User accounts, authentication, analytics, support, and security monitoring.

When our customers use the Platform to manage royalties, Payees, contracts, self-billing, and payment-related data, we act as a Data Processor on behalf of the customer in accordance with a separate Data Processing Agreement.

7. Why are we allowed to process personal data?

7.1 For it to be permissible for us to process personal data there must always be support for said treatment within the GDPR, so-called lawful basis. Such lawful basis may include:

• Consent from the Data Subject
• That the processing of personal data is necessary to fulfill the terms of an agreement with the Data Subject, for example in relation to the use of the Qlero services, including when providing royalty calculation, reporting, and self-billing functionality through the Platform)
• Fulfilling a legal obligation, for example storing certain information due to legislation regarding certain accounting standards and practices. This could also be the case when handling opt-out settings requests concerning your rights as a Data Subject in accordance with the GDPR.
• A weighing of interests when we have a legitimate interest in using your data, for example for statistical purposes and to market our services, to secure payment (when applicable) and prevent fraud.

7.2 It may occur that the same personal data is processed both when giving you customer support ( fulfilling the terms of an agreement) as well as based on your consent or when fulfilling another legal obligation. This means that even though you may revoke your consent and the processing based on said consent ceases, that specific personal data may remain with us for separate reasons.

8. What personal data do we process, and why?

In this section, we explain how your personal data is used in order for us to be able to provide you with relevant experiences, services and offers.

8.1 When a Customer registers an account

When a company registers for the Qlero Services, we process personal data relating to its designated representatives, such as:

• Your company name and registration details
• Name and email address of the designated System Administrator
• Role and access level within the Platform

8.1.1 We handle your personal data in order to:

• Set up and administer the Customer account
• Provide access to the Platform
• Provide and maintain the Services
• Manage billing and payments
• Communicate regarding the Services

8.1.2 Legal grounds for the processing

We process your personal data based on:

• fulfilling the terms of our agreement when we provide our services in accordance with our Terms of Use;
• a weighing of interests when we have a legitimate interest in using your data for statistical purposes and to market our services, as well as to secure payment and prevent fraud
• a legal obligation for handling opt-out settings requests concerning your rights in accordance with the GDPR

8.1.3 Period of storage

We retain account and support-related personal data for the duration of the customer relationship and for a limited period thereafter to handle disputes, support matters, and security follow-up, unless longer retention is required by law.

8.2 When Users access the Platform under a Customer account

When a User (e.g., employee, consultant or Payee) is granted access to the Platform, we process:

• Name
• Email address
• Role and access permissions
• Login and usage data

8.2.1 We handle your personal data in order to:

• Set up and administer the User account
• Enable secure access to the Platform
• Manage User permissions
• Ensure system security and integrity
• Provide support
• Communicate regarding the Services

8.2.2 Legal grounds for the processing

We process your personal data based on:

• fulfilling the terms of our agreement when we provide our services in accordance with our Terms of Use;
• a weighing of interests when we have a legitimate interest in using your data for statistical purposes and to market our services, as well as to secure payment and prevent fraud
• a legal obligation for handling opt-out settings requests concerning your rights in accordance with the GDPR

8.2.3 Period of storage

We retain account and support-related personal data for the duration of the customer relationship and for a limited period thereafter to handle disputes, support matters, and security follow-up, unless longer retention is required by law.

8.3 Usage of the Qlero Platform and Services

When you are a User of our Platform and Services, in addition to the provisions described in sections 8.1, we also process:

• data about your User account, for example User ID, subscription level and security code
• data about your usage of our services, including use of royalty calculation features, reporting modules, file uploads, and administrative actions within the Platform
• analytics data, that may include IP address, device type, browser information, session identifiers, timestamps, feature usage events, and performance metrics.

8.3.1 The personal data is processed in order to:

• administer your User account, for example Username and password
• inform you of personal and tailor-made offers, campaigns, and benefits from us and our cooperating partners, for example by email
• provide, maintain, test, improve and develop the digital services and the technical platform used to provide our services. The personal data is solely used for internal operational and product improvement purposes and is not used for advertising or AI training.
• ensure the security of our services, and discover or prevent various types of unlawful use, or use which otherwise contravenes the Terms of Use of our services

8.3.2 Legal grounds for the processing:

We process your personal data based on

• fulfilling the terms of our agreement when we fulfill our obligations towards you as a User (for example administering your User account and providing relevant offers) and
• a weighing of interests when we have a legitimate interest in using data about your usage of the Qlero services and your purchasing history to produce statistics needed to develop, improve, and ensure the functionality and security of our services.

8.3.3 Period of storage:

We retain account and support-related personal data for the duration of the customer relationship and for a limited period thereafter to handle disputes, support matters, and security follow-up, unless longer retention is required by law.

8.4 When you add a contact person or billing person to an invoice

When your company adds a contact person or billing person to any invoice we handle the following information which you personally provide to us:

• Name
• Contact details (e.g. email address)
• Role or business affiliation

8.4.1 We handle your personal data in order to:

• provide our services in accordance with our Terms of Use

8.4.2 Legal grounds for the processing

We process your personal data based on:

• fulfilling the terms of our agreement when we provide our services in accordance with our Terms of Use;

8.4.3 Period of storage

Personal data related to account administration is retained for as long as the Customer maintains an active account and thereafter for a limited period necessary to handle inquiries, disputes or complaints.

Where personal data forms part of royalty records, financial documentation or transaction history, such data may be retained for longer periods in accordance with applicable legal obligations, including accounting and tax legislation.

8.5 When you communicate with us

You can choose to communicate with us in different ways, for example via social media or through email with our customer service. When you communicate with us, we process data which you personally provide to us, for example:

• name and contact information
• information regarding your views, questions, or matters

8.5.1 We process your personal data in order to:

• answer questions and handle your concerns, for example addressing defects, handling complaints and questions about the Qlero services
• improve our services and the information we provide and publish on our website

8.5.2 Legal grounds for the processing:

We process your personal data for our, and your, legitimate interest in administering your customer service request (weighing of interests).

8.5.3 Period of storage:

We save your personal data for up to 12 months after the matter is closed in order to ensure traceability in your communications with us.

8.6 When we process royalty and payment data on behalf of our Customers

Depending on how our Customers use the Platform, we may process personal data relating to Payees and recipients of royalty payments, such as:

• Name and contact details
• Personal identity number (if applicable)
• Sole trader / business details and registration details
• VAT number ( Sw. “ momsregistreringsnummer”)
• Billing or registered address and country of residence/establishment (where relevant)
• Bank account details (e.g., IBAN, bank name)
• Royalty statements and self-billing documentation (e.g., invoice/self-bill number, dates, line items, amounts, currency, VAT)
• Transaction references (e.g., payout IDs, reconciliation references)
• Payment files generated through the Platform (e.g., SEPA XML files)

8.6.1 We process your personal data in order to:

• enable customers to calculate royalties
• generate royalty statements and self-billing documentation
• prepare payment and reconciliation workflows
• maintain accounting records

8.6.2 Legal grounds for the processing:

The customer determines the lawful basis for such processing. Qlero processes the data on documented instructions from the customer.

8.6.3 Period of storage:

Royalty and accounting-related records (including self-billing documentation and transaction references) may be retained for longer periods where required by applicable accounting and tax legislation.

9. Automated processing and royalty calculations

9.1 The Platform performs automated royalty calculations based on contractual parameters and input data configured and provided by the customer.

9.2 The Platform does not independently determine legal entitlement or payment rights; customers remain responsible for the contractual terms, the accuracy of input data, and any decisions to execute payments.

10. How long do we generally store personal data?

Your personal data is stored only during the period for which there is a need to store the information to be able to fulfill the terms of our agreement. We may store your personal data longer if this is necessary from a legal standpoint or to safeguard our legal interests, for example within the scope of legal proceedings that we are involved in.

11. Security measures to protect personal data

11.1 We implement appropriate technical and organizational measures to protect personal data processed through the Platform, taking into account the nature of the services, including royalty and payment-related workflows. Such measures include, among others:

• Encryption of personal data both in transit and at rest
• Role-based access controls to ensure that access is limited to authorized Users
• Secure authentication mechanisms, including password protection and additional verification measures where enabled
• Segregation of operational environments to reduce risk exposure
• Logging, monitoring and audit mechanisms to detect and investigate unauthorized access or abnormal activity
• Backup and recovery procedures to ensure data availability and resilience
• Hosting within professionally managed cloud infrastructure environments

Security measures are regularly reviewed and updated in light of technological developments and evolving risk levels.

11.2 To ensure an adequate knowledge level regarding processing of personal data we will arrange ongoing educational efforts regarding GDPR, both for our employees as well as the consultants that may from time to another be contracted to do work for us.

12. When do we share personal data?

12.1 We will not sell, make available or spread personal data to third parties with the exception for what is stated throughout this Privacy Policy. Within the scope of the Qlero services, personal data may be shared to subcontractors or partners, if this is necessary for the fulfillment and performance of our services. Key service providers may include: Microsoft Azure (hosting, database and storage), Vercel (frontend hosting), Auth0 (authentication), PostHog (product analytics), and Azure Application Insights (monitoring and logging). Personal data processed on behalf of individual Users may also be accessible within the relevant customer organization in accordance with configured User roles and access permissions. In any instance where we choose to share personal data we will enter into a Data Processing Agreement to ensure that the recipient of the personal data processes said information in accordance with applicable legislation as well as to ensure that the recipient has taken the necessary technical and organizational actions to, in a satisfactory fashion, be able to protect the rights and freedoms of you as a Data Subject.

12.2 Furthermore we may share personal data if we are required to do so by law, court order or if withholding such personal data would hinder any ongoing legal investigation.

12.3 We aim to host and store personal data within the EU/EEA. If personal data is transferred outside the EU/EEA (for example, due to the use of global service providers), we will implement appropriate safeguards such as the EU Standard Contractual Clauses where required.

13. Your rights

13.1 We are responsible for your personal data being processed in accordance with applicable legislation.

13.2 Upon your request, or at our own initiative, we will correct, de-identify, delete or complete any information that has been found to be wrongful, incomplete or misleading.

13.3 You have the right to demand access to your personal data. This means that you have the right to demand transcripts regarding the processing that we have maintained over your personal data. You also have the right to receive a copy of the personal data that are being processed, the purpose of the storage and processing as well as to whom said information has been made accessible. You also have, the right to be informed of the period of time in which the personal data will be stored and what criteria we have used to determine said period of time.

13.4 You have the right of correction of your personal data. We will, upon your request and as quickly as possible correct the incorrect or incomplete personal data we process in regard to you.

13.5 You have the right to demand deletion of your personal data. This means that you have the right to demand that your personal data is removed if it is no longer necessary for the objectives for which it was gathered. There may exist legal requirements stating that we may not immediately delete personal data (for example in terms of auditing and taxation related legislation). We will in any such case cease the processing being done for any other reasons than to adhere to the legislation of GDPR.

13.6 You have the right to object to any processing of personal data that is carried out on a lawful basis of weighing of interests. If you object to such processing, we will only continue the processing if there are legitimate reasons for the processing that outweigh your interests.

13.7 If you do not want us to process your personal data for direct marketing, you always have the right to object to such processing. This is done either by unregistering in each specific email or by sending us an email at info@qlero.io. When we have received your objection, we will cease the processing of personal data for any such marketing. You also have the right to report our processing of your personal data to any public authority responsible for monitoring the application of the GDPR, for example The Swedish Authority for Privacy Protection (IMY). However, we do recommend that you contact us first so that we can try solving the matter in a more efficient and timely manner.

14. Changes to this policy

We reserve the right to make amendments to this Privacy Policy from time to time. The date for the latest amendment is stated at the end of this Privacy Policy. If we make any amendments to the Privacy Policy, we will publish these amendments on our website. You are therefore recommended to read this Privacy Policy regularly to view any potential amendments.

15. Contact

Qlero AB (company reg. no. 559496-7654) is the Data Processor for the processing of your personal data. If you would like to have additional information on how your personal data is handled, please contact us through a written and personally signed request sent to:

Qlero AB

Sibyllegatan 17, 114 42 Stockholm

Sweden

To ensure that personal data is not disclosed to unauthorized persons, we may request additional information to verify your identity before responding to your request.